Tag Archives: hosting

One of the main problems in making a site public on a P2P network is its accessibility depends on a running server process on the initial host, until the files are seeded by other peers on the network. Fortunately, some of DAT’s developers operate a hosting service called ‘HashBase’, which we can use to make our sites persistent.

A site can be developed and uploaded to HashBase very easily from within Beaker’s integrated editor. Mine is a very basic site using Bootstrap.css. When done, review and publish the changes, so the finished article is displayed in the browser at the unique address.

Next, register an account with HashBase.io. There isn’t much in the way of account configuration here (it essentially provides a certain amount of storage associated with an account) so we can get straight to uploading the site’s files.

My site wasn’t accessible after my first attempt, and I assumed it just required time for the changes to propagate on the network. It turned out that dat.json needed to be modified in order to enable HashBase to host it – this isn’t mentioned on the Hashbase site, but instead in their documentation on GitHub. I learned the following lines must be added to dat.json:

This was enough to make the site reachable at dat://sapphire-dat.hashbase.io after re-uploading the archive. Reviewing and publishing changes in Beaker might cause dat.json to be reverted to its default, so it might be worth copying the above into another file called ‘template.json‘.

There are other recommended configuration options that might be important if we want to host something more than a static site. If you want to enable HTTPS, HashBase can sort the certificate provisioning if the following lines are also added:

There’s definitely more to this, but essentially what’s reported in the Irish Independent.ie is that a guy called Eric Marques, allegedly an operator of Freedom Hosting, is being extradicted by the United States government for being the ‘biggest facilitator of child pornography’, and was lifted sometime on 29th July. A straightforward case of someone getting caught doing something naughty? Not quite. The story gets interesting.

Freedom Hosting operated a number of Tor services, and these were restored shortly after Marques’ arrest, but something was planted there that exploited a JavaScript vulnerability in the browsers of anyone who visited certain addresses with a slightly outdated version of Firefox. The payload caused the client machines, if they were running the Windows OS, to send their MACs, IP addresses and hostnames to an IP address. We’re still speculating about who deployed the malware and for what reason.

Was this another politically-motivated attack on our freedoms? Initially I thought so, given the US government’s reputation for privacy invasions and malicious hacking. There was also a question of exactly how guilty Marques was, as there’s a difference between being ignorant of a crime and actually being responsible for it.

If we look deeperinto this, it begins to look like the persons responsible had very good intentions. Firstly there really were child pornographers using Freedom Hosting – a lot of very prolific ones. Secondly, nobody demonstrates an exploit unless they wanted to highlight a vulnerability, in this case a side channel attack against Tor that could have also been applied to any VPN or onion routing system.

The JS Exploit
What’s interesting here is the NSA, or whoever it was, made the code visible to everyone, and it’s definitely worth studying it to gain an understanding of browser exploits in general work, and how malware installers can be loaded onto victims’ machines by visiting a dodgy web site.

From what I understand, the FBI or NSA compromised the Freedom Hosting servers around the time of Marques’ arrest, and planted their malware installer on the relevant hosting accounts before putting the services back online. It’s unclear exactly which services were affected, but some reckon it included TorMail – entirely possible, but the information it was siphoning off is only useful for a limited time.
So a batch of CP distributors with a slightly outdated version of Firefox and JavaScript enabled visit the address, probably to check whether the site is active, and the JavaScript vulnerability is exploited. The payload in this exploit runs on their computers (think of it as an EXE, but injected into the Firefox process), causing it to send the hostname, MAC and IP address over the Internet to another server in Virginia. This happens before after the JavaScript redirects the browser to a page that installs a cookie.
Result? Whatever protection Tor might have provided has been defeated, and some intelligence or law enforcement agency now has a list of who visited which pages on Freedom Hosting’s servers.

The exploit itself is pretty hard to read quickly (although some researchers managed it), as most the work is done by 31 variables/buffers of shellcode, and the bulk of that in a variable called ‘magneto’ (the payload itself). Vlad Tsyrklevich has posted the disassembled payload (that’s another thing I must learn) here with comments. Some of us can now modify this and swap it back into the exploit.

In that code, the IP addresses 65.222.202.53 and 65.222.202.54 were identified, and they were assigned to somebody by Verizon. Researchers considerably more skilled than myself have drawn a blank at a Verizon data centre in Virginia, although it does appear to have been within the range used by nsa.gov. The accuracy of the records has been disputed, so we can’t be fully certain. It looks like the NSA hinting they were responsible.

Most people would see this effort as an attack on digital rights, but the outcome was actually quite favourable to us. Whoever was behind this openly demonstrated how anonymity can be broken through a side channel attack, and that Tor wasn’t quite as decentralised as we initially thought. And the beautiful thing about it is the code can be packaged, modified and repurposed by anyone motivated enough to compromise another web server, which is something I warned would (or rather will) happen if the US government started deploying its own malware.

Personally I doubt this was a political move against Tor users in general. It looks more like someone within a three/four letter agency settling scores with CP distributors, and perhaps sending a couple of messages while they were at it. Could it have been another vigilante at work? Not really, as the exploit and IP address harvesting system were ready prior to Eric Marques being arrested. The payload’s function was also very specific. As Kevin Poulsen at Wired.com put it: ‘Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.’

Under the Cover of Digital Rights
Assuming that TorMail users weren’t the targets here (I have a couple other strong reasons for making this assumption), this is not a Tor, privacy or digital rights issue, and Freedom Hosting pretty much needed to be kicked off. It’s unfortunate the business just happened to be hosting legitimate services.

a) The operators at Freedom Hosting knowingly had a substantial volume of CP on their servers, and just so there was no misunderstanding, they were presented with evidence of this by Anonymous back in 2011. Surely, over the course of two years, it might have occurred to them it might be a serious liability?
b) It can also be demonstrated that a good number of those distributing the material simply don’t care about privacy issues, as it took less than 15 minutes to start finding their profiles on the clearweb and a string of other CP forums they were frequenting. These people were using Tor for the sole purpose of covering their own asses while committing a crime involving real victims. They also get away with it by implicating innocent people, whether it’s through identity fraud or using someone else’s IP address.

Categories

Profile

My name is Michael, and I’m a software developer specialising in clinical systems integration and messaging (API creation, SQL Server, Windows Server, secure comms, HL7/DICOM messaging, Service Broker, etc.), using a toolkit based primarily around .NET and SQL Server, though my natural habitat is the Linux/UNIX command line interface.
Before that, I studied computer security (a lot of networking, operating system internals and reverse engineering) at the University of South Wales, and somehow managed to earn a Masters’ degree. My rackmount kit includes an old Dell Proliant, an HP ProCurve Layer 3 switch, two Cisco 2600s and a couple of UNIX systems.
Apart from all that, I’m a martial artist (Aikido and Aiki-jutsu), a practising Catholic, a prolific author of half-completed software, and a volunteer social worker.